PROBLEM: | Several vulnerabilities have been discovered in the interpreter for the Python language which may lead to the execution of arbitrary code. |
PLATFORM: | Debian GNU/Linux 4.0 (stable) and (etch) |
DAMAGE: | Execute arbitrary code. |
SOLUTION: | Upgrade to the appropriate version. |
VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. May lead to the execution of arbitrary code if a user is tricked into processing malformed images. |
CVSS 2 BASE SCORE: TEMPORAL SCORE: VECTOR: |
6.4 5.3 (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C) |
LINKS: | |
CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/s-276.shtml |
ORIGINAL BULLETIN: | http://www.debian.org/security/2008/dsa-1551 |
ADDITIONAL LINK: | http://www.debian.org/security/2008/dsa-1620 |
CVE: | CVE-2007-2052 CVE-2007-4965 CVE-2008-1679 CVE-2008-1721 CVE-2008-1887 |
REVISION HISTORY: 08/18/2008 - revised S-276 to add a link to Debian Security Advisory DSA-1620-1 for Debian GNU/Linux 4.0 (etch). [***** Start Debian Security Advisory DSA-1551-1 *****]
Several vulnerabilities have been discovered in the interpreter for the Python language. The Common Vulnerabilities and Exposures project identifies the following problems:
Piotr Engelking discovered that the strxfrm() function of the locale module miscalculates the length of an internal buffer, which may result in a minor information disclosure.
It was discovered that several integer overflows in the imageop module may lead to the execution of arbitrary code, if a user is tricked into processing malformed images. This issue is also tracked as CVE-2008-1679 due to an initially incomplete patch.
Justin Ferguson discovered that a buffer overflow in the zlib module may lead to the execution of arbitrary code.
Justin Ferguson discovered that insufficient input validation in PyString_FromStringAndSize() may lead to the execution of arbitrary code.
For the stable distribution (etch), these problems have been fixed in version 2.4.4-3+etch1.
For the unstable distribution (sid), these problems have been fixed in version 2.4.5-2.
We recommend that you upgrade your python2.4 packages.
MD5 checksums of the listed files are available in the original advisory.
[***** End Debian Security Advisory DSA-1551-1 *****]
Voice: +1 925-422-8193 (7 x 24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org